一、文本文件式的认证

1、获得文本口令认证的脚本
wget http://openvpn.se/files/other/checkpsw.sh -P /etc/openvpn
cd /etc/openvpn
chmod u+x checkpsw.sh
chown nobody.nobody checkpsw.sh

2、创建密码文件
譬如 /etc/openvpn/psw-file
文件的格式：用户名密码
user1 pass
user2 pass

3、修改服务器的配置文件
在server.conf 配置文件里加上
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env
4、修改客户端的配置文件
一是注释掉用
;cert client1.crt
;key client1.key
二是增加验证时询问用户名和密码
auth-user-pass

二、是支持 MYSQL 数据库的认证

1、需要 pam_mysql 模块
# wget http://prdownloads.sourceforge.net/pam-mysql/pam_mysql-0.7RC1.tar.gz

该项目的网页是：
http://pam-mysql.sourceforge.net

2、编译该模块
# tar -zxvf pam_mysql-0.7RC1.tar.gz
# cd pam_mysql-0.7RC1
# ./configure --with-openssl
或
# ./configure --with-mysql=/usr/lib/mysql/mysql_config --with-openssl
# make install
# cd .libs
# cp pam_mysql.sp /lib/security

3、相关的服务准备
# service saslauthd restart
修改 /etc/sysconfig/saslauthd
MECH=pam 改为 MECH=shadow

4、关于 MYSQL 的操作
简述安装的过程
# cd /usr/bin
# ./mysql_install_db
# service mysqld restart
# ./mysqladmin -u root password '????????'
# mysql -u root -p
> create database vpn;
> grant all on vpn.* to vpn@localhost identified by '????????';
> flush privileges;
> use vpn;
> create table vpnuser (name char(20) NOT NULL, password char(128) default NULL, active int(10) NOT NULL DEFAULT 1, PRIMARY KEY(name));
> insert into vpnuser(name,password) values ('......',password('......'));

5、配置 pam_mysql 模块
/etc/pam.d/openvpn
with sufficient pam_mysql.so user=vpn passwd=...... host=localhost db=vpn table=vpnuser usercolumn=name passwordcolumn=password where=active=1 sqllog=0 crypt=3

需要注意的是
crypt=0 表示用明文
crypt=1 表示 use crypt
crypt=2 表示 use MySQL PASSWORD() 函数
crypt=3 表示 use MySQL PASSWORD() 函数，用 MD5

6、修改 OpenVPN 设置
生成 ta.key
# openvpn --genkey --secret keys/ta.key
修改服务器配置文件
tls-auth ta.key 0
plugin ./openvpn-auth-pam.so openvpn
client-cert-not-required
username-as-common-name

修改客户端配置文件
auth-user-pass
tls-auth ta.key 1

三、使用 LDAP 的方式认证

实际上也有二种，一种用 openvpn-auth-ldap 即直接通过 LDAP 验证，另一种与 mysql 认证相似，使用 pam-ldap ，通过 PAM ，然后再找 LDAP 验证。

这里主要用 openvpn-auth-ldap （另一方法，安装 yum install nss_ldap 包后找文件 /usr/local/etc/auth-ldap.conf 复制 /usr/share/doc/nss_ldap_253/ldap.conf.pam_ldap /etc/pam_ldap.conf ，创建/etc/pam.d/openvpn）
1、安装
# yum install openvpn-auth-ldap

自行安装的话，下载 auth-ldap-2.0.3.tar.gz re2c-0.13.5.tar.gz
# tar -zxvf re2c-0.13.5.tar.gz
# ./configure
# make
# make install
# tar -zxvf auth-ldap-2.0.3.tar.gz
# ./configure --prefix=/usr/local --with-openldap=/usr/local --with-openvpn=/root/openvpn-2.0.9
或
# ./configure --prefix=/usr/local --with-openldap=/usr/lib/openldap --with-openvpn=/usr/src/redhat/BUILD/openvpn-2.0.9

生成文件 /usr/local/lib/openvpn-auth-ldap.so

2、配置文件

修改配置文件：auth-ldap.conf
使用yum安装的，会在 /usr/share/doc/openvpn-auth-ldap-2.0.3 存在相应文件，如果是自行安装的，在 /usr/local/etc/auth-ldap.conf 。

实例：（根据实际情况修改）

# LDAP server URL
URL ldap://ldap1.example.org

# Bind DN (If your LDAP server doesn't support anonymous binds)
# BindDN uid=Manager,ou=People,dc=example,dc=com

# Bind Password
# Password SecretPassword

# Network timeout (in seconds)
Timeout 15

# Enable Start TLS
TLSEnable yes

# Follow LDAP Referrals (anonymously)
FollowReferrals yes

# TLS CA Certificate File
TLSCACertFile /usr/local/etc/ssl/ca.pem

# TLS CA Certificate Directory
TLSCACertDir /etc/ssl/certs

# Client Certificate and key
# If TLS client authentication is required
TLSCertFile /usr/local/etc/ssl/client-cert.pem
TLSKeyFile /usr/local/etc/ssl/client-key.pem

# Cipher Suite
# The defaults are usually fine here
# TLSCipherSuite ALL:!ADH:@STRENGTH
# Base DN
BaseDN "ou=People,dc=example,dc=com"

# User Search Filter
SearchFilter "(&(uid=%u)(accountStatus=active))"

# Require Group Membership
RequireGroup false

# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users
BaseDN "ou=Groups,dc=example,dc=com"
SearchFilter "(|(cn=developers)(cn=artists))"
MemberAttribute uniqueMember
# Add group members to a PF table (disabled)
#PFTable ips_vpn_eng
openvpn 的配置文件类似 mysql
plugin /usr/local/lib/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf
client-cert-not-required
username-as-common-name